Does authorization equal entitlements?

Summary:Back in the early mists of identity time, "identity management" was referred to as "AAA" (triple A) -- authentication, access control and authorization. Over time, AAA evolved to mean authentication, authorization and acountability.

Back in the early mists of identity time, "identity management" was referred to as "AAA" (triple A) -- authentication, access control and authorization. Over time, AAA evolved to mean authentication, authorization and acountability. Those were seen as the three large functional categories within what came to be called identity management. Eventually, as technology and understanding evolved, categories such as provisioning, federation, web access control, E-SSO, etc. were added. The big three categories remained, but we came to call the whole group of functions "identity management."

Recently, a startup named Securent brought me back to thinking about "authorization." Securent has released some products to deal with what they're calling "entitlement management" at the application layer. The naming convention is interesting, and useful.

As the enterprise has come to deal with the networking of everything, the topic of "authorization" has risen to the top. Controlling "access" to the enterprise was always a nice first step, but it doesn't solve the problems of compliance in today's regulatory environment. Access control was the application layer's version of the network firewall, it created an "inside" and and "outside" and controlled who could get inside. This concept works well as far as it goes, but as has been found with firewalls at the network layer it doesn't scale well and it tends to fight the type of mobility networking seeks to deliver.

Authorization -- dealing with who has the right to do what with what, where, and when -- gets to the heart of the problem: what are people *entitled* to do. It jumps over proxy concepts like location, devices, etc. and goes right to the problem at hand. Thus, "entitlement management" as a category makes some sense. Is that just semantic trickery on the part of Securent in this case? Maybe, maybe not (I haven't seen the products). But it could be a useful semantic step in facilitating the conceptual shift from "barrier security" paradigms to the truly identity based paradigms networked computing requires.

Beyond authorization and entitlement, the breaking wave in identity is visibility. You can provision, federate, authorize, entitle, and audit - but what you're ultimately trying to provide is real-time visibility into a network. Seeing what's going on gives you the ability to enforce policy, but seeing across the entire networked environment of the enterprise is not an easy process.

And the authorization of entitlements is the next step in that process.

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.